3) The problem is it can circumvent an applications page security if they are using web.xml to secure their resources. Imgine they put protection on /admin/* and un benownst to them, there admin section is now available under /org.richfaces.resources/

Rather than a FacesServlet mapping, can we provide our own custom servlet to serve only these resources? This would be mapped to a url as you proposed above, but would be secure as it would only serve the resources you intend.